问题
Does client_credentials grant type support a refresh token scenario?
How should access_token expiry be handled when using client_credentials grant type?
I have an authorization service and secured services behind a proxy service (Zuul with EnableOAuth2Sso) which acts as a gateway for all requests coming from client application.
Here is the flow I have:
- A proxy service (zuul) that accepts requests (rest api) from client application
- Proxy service invokes Authorization Service api by posting
client_id,client_secretandgrant_type(client_credentials) and getsaccess_token,refresh_token, and expire time from response - Proxy Service routes the original request to protected services as per zuul route mapping.
This flow works fine but looking at the code in ClientCredentialsAccessTokenProvider I noticed that 'supportsRefresh' returns false and 'refreshToken' methods returns null. Does this mean that when the access_token expires any subsequent requests from client applications to the proxy service (zuul) will fail?
回答1:
client_credentials OAuth grant servers the need of machine-to-machine authentication, so there is no need to refresh the token.
As result, in Spring Security OAuth's ClientCredentialsAccessTokenProvider, supportsRefresh returns false and refreshToken methods returns null.
In fact, your authorization server and resource server are all in same place (which means the token generation is pretty cheap), quite much like our setup. I suggest you can just set a short lifespan (like 10 minutes) for access token, and treat them self-disposable, and get access token every time when you want to touch the secured resource.
来源:https://stackoverflow.com/questions/44508503/spring-security-client-credentials-grant-type-support-for-refresh-token